Closed Bug 1340200 Opened 8 years ago Closed 21 days ago

Block subresource requests whose URLs include credentials

Categories

(Core :: Networking, task, P3)

Product:
Core
Component:
Networking
Type:
task

Tracking

()

Status:
RESOLVED DUPLICATE of bug 479038
Tracking Flags:
Tracking Status
firefox54 --- affected

People

(Reporter: valentin, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: sec-want, Whiteboard: [necko-triaged][necko-priority-new])

Attachments

(1 obsolete file) 

A bit of background:
https://github.com/whatwg/fetch/pull/465

This should likely be implemented behind a pref, in case we regress major use cases, such as corporate network, etc.
Hi Patrick, what are your thoughts on this?
Flags: needinfo?(mcmanus)
not sure why we would unilaterally do this. is there a reason to do it without coordination?
Flags: needinfo?(mcmanus)
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: -- → P2
Please evaluate performance first, but have a look.
Assignee: nobody → valentin.gosu
The attached WIP patch blocks subresource requests that include credentials (if those credentials differ from the top level load). I think we also need to handle redirects, but that shouldn't be too difficult.
However, I think we should put off on landing this for now until https://github.com/whatwg/fetch/pull/465 gets merged, and we have proper WPT test coverage for it.
The only browser to have implemented this is Chrome, and they are currently dealing with regressions:
https://bugs.chromium.org/p/chromium/issues/detail?id=731618
Priority: P2 → P3

There doesn't seem to be any browser consensus on doing this yet.

Assignee: valentin.gosu → nobody
Blocks: url
Severity: normal → S3
Type: defect → task
Attachment #9024730 - Attachment is obsolete: true

It seems the regression against Chrome is closed and this would remove confusing user-facing dialogs. I suspect Johann et al would appreciate it if we did this. If that's the case I'd be happy to get that Fetch PR moving again.

Blocks: fetch
No longer blocks: url
Flags: needinfo?(jhofmann)

Sorry, I may be missing something, are we showing any dialogs for sub-resources with credentials? :)

Flags: needinfo?(jhofmann) → needinfo?(annevk)

Sorry, yes, those are indeed different things. What I was thinking of is tracked by bug 647010 I think.

The focus here is primarily reducing opportunities for dictionary attacks. And I think we agree that this would be good, but we were afraid of web compatibility. Now that Chrome has been shipping this for a number of years and the regressions haven't piled up, we should follow I think, unless I'm missing something.

Flags: needinfo?(annevk)
See Also: → 647010

FWIW I agree though I don't see this as a top priority (but I'll leave that to Necko folks).

Keywords: sec-want

Landed by Chrome in ?59? (2017). Flag to still use it anyways removed in 2021. We should probably follow suit.

Whiteboard: [necko-next] → [necko-triaged][necko-priority-new]

This is duplicate of 479038.

Status: NEW → RESOLVED
Closed: 21 days ago
Duplicate of bug: 479038
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: